When Ermetic, a cloud access security risk company, opened its doors in 2019, one of the first things the company did was conduct a survey to ascertain the most significant cloud-related security concerns and whether businesses were able to keep their data safe in this environment. More than three quarters of the 300 respondents had a cloud data breach in the past 18 months; almost half had at least 10 cloud breaches during that time. Amy Ariel, Chief Marketing Officer at Ermetic, which has headquarters in Palo Alto, California, and Tel Aviv, Israel, said it was “amazing” to see people admitting to those kinds of numbers, but not shocking those breaches were occurring.
“We know that the cloud is very exposed and is an open invitation and hackers are trying to get there,” she said. “In an industry where data is of value, the number of potential breaches will be high because the number of attempts is so high.”
It is important that healthcare providers understand they can be, at least in part, responsible for reducing the risk to information stored in the cloud. Both covered entities and business associates need to follow HIPAA procedures through a shared responsibility model.
Basic Security Hygiene
There are several things a provider can do to diminish the chances data stored in the cloud will be breached, and they are all just generally smart HIPAA practices.
First is password security. Do not have sticky notes with passwords laying around the office and do not use shared passwords. Using multi-factor authentication can also help reduce the chance of unauthorized people accessing others’ accounts. It is also wise to require staff to change their passwords on a regular basis.
Any computers that can access information in the cloud should have anti-malware and antivirus software installed as well, said Jon Moore, Chief Risk Officer and Senior Vice President of Consulting Services at Clearwater Compliance, a healthcare cyber risk management company based in Nashville, Tennessee. Encryption also recommended so protected health information is difficult to read if a system does get breached.
It is incumbent upon any organization that has information stored in the cloud to be sure they understand their responsibilities and have the staff to do what is needed for their security tasks.
The only way to know this for sure is to understand the type of cloud model that is being used. The 3 main models are platform as a service, infrastructure as a service, and software as a service. In each of these there is a different shared security model, healthcare providers have varying roles and responsibilities depending on the model they are using.
“Practices need to be aware of that, or they could get themselves into a jam,” Moore said. “They need to have the confidence that they are going to be able to meet their security responsibilities, and if they can’t, they need to stay away from the cloud.”
Major cloud providers, like Amazon Web Services or Microsoft Azure, have a lot of safety built into their programs, Moore said. But providers still need to know what to do with the various features. For instance, Azure has an add-on that monitors cloud environments, but practices must have staff who can track the logs that record potential problems and respond to alerts sent by the program.
This article originally appeared on Renal and Urology News